Containing Hitlist-Based Worms with Polymorphic Signatures

Author

Richardson, Theodor ; Huang, Chin-Tser

Author_Institution

Towson Univ., Towson

fYear

2007

fDate

13-16 Aug. 2007

Firstpage

652

Lastpage

657

Abstract

Worms are a significant threat to network systems, both through resource consumption and malicious activity. This paper examines the spread of a class of hitlist-based worms that attempt to propagate by searching for address book files on the host system and using the host´s mail program to spread to the addresses found. This threat becomes more severe when the worms are assumed to be polymorphic in nature - able to dynamically change their signature to elude capture. Because the method of propagation for these worms is predictable, it is possible to contain their spread through the use of honeytoken e-mail addresses in the client address book. Any e-mail received by the honeytoken address will be immediately recognized as malicious and can therefore be used to flag client machines as infected. This paper provides a complete description of a method to allow for better containment of this class of worms. The results of the proposed method are examined and compared to a previous method of capturing this type of worm.

Keywords

electronic mail; invasive software; telecommunication security; e-mail address; honeytokens; polymorphic signatures; resource consumption; worm capture; worn containment; Books; Computer networks; Computer science; Computer worms; Cryptography; Payloads; Postal services; Software standards; Software systems; Telecommunication traffic; honeytokens; polymorphic worms; worm capture; worm containment;

fLanguage

English

Publisher

ieee

Conference_Titel

Computer Communications and Networks, 2007. ICCCN 2007. Proceedings of 16th International Conference on

Conference_Location

Honolulu, HI

ISSN

1095-2055

Print_ISBN

978-1-4244-1251-8

Electronic_ISBN

1095-2055

Type

conf

DOI

10.1109/ICCCN.2007.4317891

Filename

4317891